The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.

Issue one you have a 5 year old machine in the future MS has lost the key so you system can be attacked. Yet OEM has locked you motherboard and is providing no more update. So you cannot update bootloader to fix problem. So when microsoft pushes out update to bootloader signed with new key your computer now dies.

I agree with you that users need to be guaranteed more control over this, but there are a couple issues with this statement.

(1) Microsoft wouldn't "lose" a key; what you're referring to is the key's being leaked. Microsoft would still have the key, but so would everyone else, and as such, anyone could sign boot loaders for the motherboards set up with that key. It would effectively nullify the security "feature" for anyone smart enough to sign an arbitrary boot loader with the leaked key.

(2) Even if the old key is leaked, Microsoft can continue to sign things with it as well as the new key(s). So chances are they would continue to sign their OS and future OSes with those keys so that people who bought locked PCs would continue to be able to install MS OSes. (Even if smart people can sign their own boot loaders with the leaked keys, the average PC user won't be able to, so it would make economical sense to keep providing upgrades that will work with the leaked keys.)